Nozomi Networks Quality Stands Out in ICS Detection Challenge at S4

This week the top minds in ICS cyber security are gathered at the S4 conference in Miami, Florida. This conference distinguishes itself by being highly technical, large (400+ attendees) and where bold initiatives to improve industrial cyber security are made.

This year’s key initiative is the ICS Detection Challenge, an event designed to test the capabilities of passive ICS monitoring and threat detection solutions. Since our products lead this category, and because we are committed to protecting critical infrastructure and the people who could be impacted by a compromise, we are eager to be part of it.

The Nozomi Networks solution achieved a high score for asset inventory identification. And, it was called out by the judges for being “more detailed and accurate” than the other solutions.

Read on to find out more about this competition and our results.

The Nozomi Networks S4 Challenge team of Andrea Carcano, Moreno Carullo and Paul Smith (shown above from left to right) during the competition.

The S4 ICS Asset Identification Challenge

One of the purposes of this event is to increase awareness around the value of passive ICS monitoring solutions. This includes the automation of asset inventory. Up to recently, documenting all assets and network connections in a large heterogeneous industrial control network was a major effort. And this undertaking was only made harder by the fact that industrial networks change frequently, with devices being added, and changed, all the time.

In the S4 Challenge, our team attached a SCADAguardian appliance to a 100 Mbps SPAN port on a switch. Packet captures, or PCAPs, were then played on the switch and were copied to and analyzed by our appliance. The PCAPs represented network traffic from:

A real pipeline SCADA system

A DCS at a terminal

Some HMI / PLC installations at middle to small terminals

Although a real scenario, the packet data was anonymized. Most of the captures took place during normal operations, but some were taken during a maintenance window. The communications consisted of ICS protocols and Level 0/1 devices commonly used in the U.S. oil and gas market.

The organizers described the Challenge as being “harder than the real world” because of the limited time duration of the sample, the lack of context, and the fact that only one sensor was used to gather and analyze network traffic.

Our team had four hours to complete an asset inventory spreadsheet for a PCAP that played for about 50 minutes. We used only our own product, SCADAguardian, and the open source tool Wireshark to analyze the packets. These tools represent what we bring onsite for the implementation of our solution.

Although four hours were allowed for the competition, we submitted our results in two hours. The results included a spreadsheet of the assets identified on the system, and their attributes.

In submitting our responses, we only submitted information that we could verify was true. For example, when identifying devices, it is straight forward to identify their MAC vendors i.e. the original manufacturer of the device. But, we only named the vendor when we positively knew the product (PROD) vendors. To our point of view, it is important not just to know the endpoints, but the encompassing systems around them.

For example, if a system such as a Cisco switch (as indicated in it MAC address) is a being used as a Siemens Scalence Switch (the PROD vendor) we want to make sure our solution knows it. Knowing the context of the use of the device leads to SCADAguardian having lower false positives in anomaly detection.

In the Identification phase of the S4 Challenge, Nozomi Networks was commended for our asset discovery differentiators.

Bonus Cyber Security Information

In addition to identifying assets, we submitted additional information about cyber risks.

An IP address that received >300 connections in 30 seconds. This might be an attack in process. Operators would receive a high-level alert, allowing them to investigate and take action.

A device using a cleartext username and password was identified.

A listing of the vulnerabilities associated with the devices on the network.

Within minutes of deployment, which operators cite as the easiest and smoothest in this product category, all nodes of the industrial network are presented in an interactive visualization.

Asset Views make it easy to find and drill down on asset information, and the level of detail available is high.

Security Differentiator: SCADAguardian immediately identified a node that had >300 connections in 30 seconds. Operators would receive a high-level alert, to warn them of a possible attack in progress.

Security Differentiator: SCADAguardian automatically identifies vulnerabilities and in the competition was commended for identifying CVEs for Rockwell and Cisco devices.

Automated Asset Inventory that is Detailed and Accurate

For too long industrial operators and cyber security staff faced the impossible task of trying to manage and monitor a system that was not thoroughly documented or easy to visualize.

Time and time again, when our prospects and customers experience the smooth installation of our solution and its immediate visualization of their system, they are delighted. They instantly perceive aspects of their ICS that they were not aware of, and they can easily drill down and explore to find out more information.

Furthermore, they are quickly made aware of any existing situations which threaten cyber security or reliability, such as improper connections, default credentials, and vulnerabilities.

We are proud to be the vendor that was called out by the S4 Challenge judges as provide a “more detailed and accurate” asset inventory than our competitors.

If you are involved with reliability or cyber security of a critical infrastructure or manufacturing system, we encourage you to find out what our solution can do to make your job easier.

When Enel wanted to improve reliability, efficiency and cyber security, one of their selection criteria was to eliminate time consuming ICS monitoring.

They selected the Nozomi Networks solution, which provided full visibility and monitoring of their control network. This includes sites at remote, isolated locations, as well as connections between Enel and the Transmission System Operator.

“Nozomi Networks SCADAguardian is an essential tool for our daily activities and substantially improves the reliability, efficiency and cyber security of our remote control system.”

Andrea Carcano, an expert in industrial network security, advises governments, industrial operators, security partners and industry organizations on ICS cyber security strategies and best practices. He holds a Ph.D. in Computer Science focused on critical infrastructure security, and has authored multiple academic papers on ICS malware attacks and advanced attack detection techniques. As Founder and Chief Product Officer at Nozomi Networks, Andrea and his team are defining a new generation of ICS security solutions that detect complex intrusions to critical infrastructure control systems.